Maybe you heard about the Anthem data breach reported last year, in which hackers stole personal information of up to 80 million consumers. Anthem is the second largest health insurer in the country, operating numerous affiliates, including Blue Cross/Blue Shield health plans, in a number of states. The company caught major grief over the breach, including bad press, political heat, investigations and lawsuits, but none of that prevented it from moving to purchase one of its largest competitors (although that competitor’s CEO had earlier cited the “massive data breach” as a possible deal killer), and its stock value actually increased over the year.
Still, Anthem’s data breach was a dramatically large example of a disturbing trend in which crime, the internet, federal law, shaky security protocols and your most personal health information intersect. It’s a problem that’s getting worse and that isn’t really under control. It’s now well established that “more and more health data are showing up in the” so-called “dark web,” per a recent report from the Infosec Institute, which adds “unlike credit card numbers, healthcare information is non recoverable, and potentially lethal in the wrong hands.” In fact, per another report, medical data is worth more than your credit card. Not only may it be used to file false tax returns, but “to create supplies and equipment that can be resold” says the website Solutionary and, says the Wall Street Journal, to actually obtain health care services and prescription medications. The referenced WSJ article reports Dr. Shantanu Agrawal, director of the Center for Program Integrity at the CMS, as saying “You can end up with diagnoses being placed in your file without your knowledge.”
So, whereas a credit card thief may run up some bills on that card which you can probably get out of paying, and an identity thief may temporarily get into your bank account or steal your tax return, not only may the health data thief do all those things, he may also get medicine or medical treatment in your name, or payment for your services, and your health care records may wind up altered because of it. Getting that straightened out in the byzantine world of health data systems may not be simple.
Even doctors are vulnerable. One report describes “a seller on” a “darknet marketplace” who posted “stolen healthcare data” and another “large file…which contained the name, address, Social Security number and other sensitive information on dozens of physicians across the country.”
All this may in part be an unintended side effect of federal efforts to improve delivery of health care services. Congress enacted the Health Information Technology for Economic and Clinical Health Act (or “HITECH”) Act in 2009 as part of the American Recovery and Reinvestment Act (otherwise known as “the Stimulus Package”). The HITECH Act was intended to “promote the adoption and meaningful use of health information technology” by requiring health practitioners to adopt electronic health record capability, while also strengthening the health care data privacy and security rules originally mandated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The idea was to make it easier for health practitioners, health insurers and consumers to create and exchange reliable health care records, while also assuring their protection. And yet, Taylor Armstrong at CSO Online cites reports that “the PHI of nearly 120 million Americans has been compromised since the 2009 Breach Notification Rule took effect as part of the federal … (HITECH) Act.”
Other factors cited by industry sources in Mr. Armstrong’s very helpful article are “increasing adoption of PACS (Picture Archiving and Communication System) for radiology departments, the widespread adoption of mobile devices by many physicians, and an ever-increasing amount of medical equipment becoming network enabled.” Among those quoted is Morris Panner, CEO of DICOM Grid: “‘Health information has a strange paradox,’ he said. ‘You want it to be private from most people, yet when you require care, you want a lot of people to see it, really fast. … This is a very tough workflow, and nothing similar exists in the retail or financial world.” Also quoted is Daniel Berger, CEO of Redspin: “‘PHI is anything but ‘protected,’ he said, noting that spending in the healthcare industry on security, ‘is very low compared to other industries that rely on sensitive data.’”
I can assure you that most health care practitioners, health insurers and health service companies take data protection very seriously. Members of our firm have worked extensively with clients to help develop strong health data privacy and security standards, often to meet the stringent requirements of companies such as Anthem. But not everyone is as diligent as they should be, no one wants to make it health data inaccessible when truly needed, and there’s a “whack a mole” element that makes staying on top of new technologies and every potential problem a major challenge. As a result, per one source, it’s “relatively easy to break into health care facilities’ networks” and another reports that “very few organizations require their employees to install anti-virus/anti-malware software on their smartphones or tablets, scan them for viruses or malware, or scan and remove all mobile apps that present a security threat prior to allowing them to be connected to their networks or systems.”
So it’s a huge and growing problem and it puts patients, health care practitioners and insurance companies at great risk. Is there anything you can do to protect your data without putting your health in jeopardy when you might, say, need emergency care and are unable to share a password?
Join me in my next article and I’ll share some advice from smart people who’ve given this a lot of thought.
B. Allen Bradford is a senior member and co-founder of Bradford, Perlstein & Associates, LLC, and is “of counsel” with James, James & Joyner. Most of his clients are emerging and entrepreneurial businesses, health care providers and other professionals. He writes this occasional column primarily to demystify the intersection of legal and health issues for individual consumers, physicians and small businesses. However, nothing herein is intended as legal advice. You can follow Allen on Twitter at: @LegalHealth.